GMS-2021-48: User can obtain JWT token even if account is disabled

September 29, 2021

Users can authenticate this way even if their user account is disabled. This is a high risk vulnerability when account disabling is used to block users’ access to the system. (Someone who never had an account cannot exploit this vulnerability.) The fix ensures tokens are generated only for enabled user accounts, and is distributed via Composer as ezsystems/ezplatform-rest v1.3.8

References

developers.ibexa.co/security-advisories/ibexa-sa-2021-007-jwt-auth-possible-for-disabled-users.-username-login-handler-can-t-be-disabled
github.com/advisories/GHSA-36mj-6r7r-mqhf
github.com/ezsystems/ezplatform-rest/security/advisories/GHSA-36mj-6r7r-mqhf

Code Behaviors & Features

Detect and mitigate GMS-2021-48 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →